In <[🔎]slrniabget.2pl.joerg@alea.gnuu.de>, Jörg Sommer wrote:
>on a lenny system with the package git-core installed from the security
>repository, debsecan marks CVE-2010-2542 as not fixed. In the last weeks,
>I saw different versions popping up. At least, on claims to fix
>CVE-2010-2542.
A new Debian package of git-core was prepared for stable and included in the
5.0.6 update to Lenny. This version addressed the permissions issue, but it
hadn't spent any (much?) time in stable-proposed-updates or the security
repository.
Unfortunately, the i386 package was built in an odd environment, so git-core
in current Lenny (5.0.6) on i386 is broken (can't clone or init due to overly
restrictive permissions).
Stable is *only* updated at point releases, so git-core in Lenny (on i386)
will be broken until 5.0.7 is released. As users of the package know, this is
a fairly major regression over a relatively minor security issue.
Because of the severity of the issue, new versions of git-core were/are going
to be made through (at least) the security and volatile repositories and
possibly stable-proposed-updates and backports as well.
Bug #595728 documents most of this, and it may have been updated since last
time I researched the issue.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

Attachment:
signature.ascDescription: This is a digitally signed message part.